Skip to Content
  • Last week, WellPoint, one of the nation’s largest insurers, settled a HIPAA violation case brought by the Department of Health and Human Services. In a self-reported violation, WellPoint was found to have exposed the personal information of over 612,000 individuals in what WellPoint termed a “lapse in its online security during a routine upgrade of its system.” The “lapse” occurred during a routine online upgrade of WellPoint’s tracking system.

    HHS said, in a statement, “This case sends an important message to HIPAA covered entities to take caution when implementing changes to their information systems, especially when those changes involve updates to web-based applications or portals that are used to provide access to consumers’ health data using the Internet.” The investigation concluded that WellPoint did not take proper procedural safeguards in ensuring that information could not be accessed during the upgrade. Specifically, HHS concluded that:

    WellPoint:

    • Did not adequately implement policies and procedures for authorizing access to ePHI maintained in its web-based application database consistent with the applicable requirements of the HIPAA Security Rule.
    • Did not perform an adequate technical evaluation in response to a software upgrade, an operational change affecting the security of ePHI maintained in its web-based application database;
    • Did not adequately implement technology to verify the identity of a person or entity seeking access to ePHI maintained in its web-based application database;
    • Impermissibly disclosed the names, dates of birth, addresses, Social Security numbers, telephone numbers and health information, of approximately 612,000 individuals whose ePHI was maintained in the web-based application database

    The violation also has resulted in several civil lawsuits brought by individual insureds.

    The WellPoint settlement is yet another illustration of the serious nature of ensuring patient data. As we progress aggressively towards online and electronic patient data, caution cannot be disregarded and, indeed, must be paramount. Each provider should have a protocol in place to safeguard patient data. The protocol should satisfy the new HIPAA guidelines and should be revisited every six months as an addition precaution.   

    by Richard E. Haskin

    For more information about this topic please contact:    Richard E. Haskin Partner Gibbs Giden Locher Turner Senet & Wittbrodt LLP 7450 Arroyo Crossing Parkway, Suite 270 Las Vegas, Nevada 89113 Ph: (702) 836-9800 Fax: (702) 836-9802 email: rhaskin@ggltsw.com

    View or Print pdf

    The content contained herein is published online by Gibbs Giden Locher Turner Senet & Wittbrodt LLP (“GGLTSW”) for informational purposes only, may not reflect the most current legal developments, verdicts or settlements, and does not constitute legal advice. Do not act on the information contained herein without seeking the advice of licensed counsel. For specific questions about any of the content discussed herein or any of the content posted to this website please contact the article attorney author or send an email to info@gibbsgiden.com. The transmission of information on this, the GGLTSW website, or any transmission or exchange of information over the Internet, or by any of the included links is not intended to create and does not constitute an attorney-client relationship. For a complete description of the terms of use of this website please see the Legal Notices section at /legal-disclaimer/. This publication may not be reproduced or used in whole or in part without written consent of the firm.

    Copyright 2013 Gibbs Giden Locher Turner Senet & Wittbrodt LLP